The Irish Data Protection Commission (DPC) has slapped Meta with a $101.5 million (€91 million) fine after wrapping up an investigation into a security breach in 2019, wherein the company mistakingly stored users’ passwords in plain text, Engadget reported.
Meta’s original announcement only talked about how it found some user passwords stored in plain text on its servers in January of that year. But a month later, it updated its announcement to reveal that millions of Instagram passwords were also stored in easily readable format.
While Meta didn’t say how many accounts were affected, a senior employee told Krebs on Security back then that the incident involved up to 600 million passwords. Some of the passwords had been stored in easily readable format in he company’s servers since 2012. They were also reportedly searchable by over 20,000 Facebook employees, though the DPC has clarified in its decision that they were at least not made available to external parties.
Reuters reported the lead European Union privacy regulator fined social media giant Meta 91 million euros ($101.5 million) on Friday for inadvertently storing some users’ passwords without protection or encryption.
The inquiry was opened five years ago after Meta notified Ireland’s Data Protection Commission (DPC) that it had stored some passwords in ‘plaintext’. Meta publicly acknowledged the incident at the time and the DPC said the passwords were not made available to external parties.
“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” Irish DPC Deputy Commissioner Graham Doyle said in a statement.
A Meta spokesperson said the company took immediate action to fix the error after identifying it during a security review in 2019, and that there is no evidence the passwords were abused or accessed improperly.
ArsTechnica reported officials in Ireland have fined Meta $101 million for storing hundreds of millions of user passwords in plaintext and making them broadly available to company employees.
Meta disclosed the lapse in early 2019. The company said that apps for connecting to various Meta-owned social networks had logged user passwords in plaintext and stored them in a database that had been searched by roughly 2,000 company engineers, who collectively queried the stash more than 9 million times.
Meta officials said at the time that the error was found during a routine security review of the company’s internal network data storage practices. They went on to say that they uncovered no evidence of anyone internally improperly accessed the passcodes or that the passcodes were ever accessible to people outside of the company.
Despite those assurances, the disclosure exposed a major security failure on the part of Meta. For more than three decades, best practices across just about every industry hav been to cryptographically hash passwords. Hashing is a term that applies to the practice of passing passwords through a one-way cryptographic algorithm that assigns a long string of characters that’s unique for each unique input of plaintext.
In my opinion, it sounds as though Meta wasn’t interested in having this information be reported on. It makes no sense for a company like Meta to hide what they were doing with customer’s passwords.